TomatoRTC

Certification readiness for teams that self-host.

For CISOs, procurement, compliance officers, and security engineers. Honest status up front: TomatoRTC does not currently hold vendor SOC 2 certification — this deck explains what we provide instead.

SOC 2 evidence kit Shared responsibility Hardened templates Pen-test coordination

Shared responsibility

Self-hosted software changes who holds the certificate.

A vendor SOC 2 report from a hosted CPaaS covers their cloud boundary. With TomatoRTC, your deployment is the system — our Compliance package supplies evidence to speed your audit.

  • TomatoRTC (software) Platform controls: tenant isolation, WSS/DTLS/SRTP, audit chain, admin API hardening, redaction helpers.
  • You (operator) Cloud account, network perimeter, IdP integration, log retention, backup/DR, personnel policies.
  • Your auditor System boundary definition, observation window, and Trust Services Criteria opinion.

Certification status

What TomatoRTC holds today — and what you pursue on your infrastructure.

Program
TomatoRTC vendor
Your deployment
SOC 2 Type II
Not held
Pursue on your infra with evidence kit
HIPAA BAA
Not offered on TomatoRTC-operated infra
Deploy in your HIPAA-covered cloud
GDPR / residency
No TomatoRTC cloud in self-host mode
You choose regions and retention
ISO 27001 / FedRAMP
Not in scope
Map into your ISMS if required

SOC 2 evidence kit

Structured audit evidence — not a vendor certificate.

Ships with the Compliance package license add-on. Maps platform controls to AICPA Trust Services Criteria and tells auditors what to inspect.

Responsibility matrix

Splits TomatoRTC software controls from your cloud, IdP, and operations obligations.

TSC control mapping

Security, Availability, and Confidentiality criteria tied to features, env vars, and exports.

Hardened templates

Production TLS, admin CSRF/origin lockdown, K8s NetworkPolicy, TURN relay ranges.

Policy templates

Starter policies auditors expect — your counsel reviews and adopts.

Evidence guide

What to pull: audit chain export, OTel traces, admin logs, redacted support bundles.

Pen-test brief

Scoped methodology and dedicated test environment coordination.

Evidence inputs

Platform controls auditors commonly reference.

Available today — not a SOC 2 report by themselves. Your operators must configure and retain evidence per the security hardening guide.

Tenant isolation

tenantId:roomId namespace — cross-tenant join rejected even with a valid token.

Transport security

WSS, DTLS/SRTP, short-lived tenant-scoped TURN credentials.

Auth & authz

RS256/JWKS/OIDC with your IdP; RBAC at handler level; separate admin token scope.

Audit & redaction

Hash-chained audit log, SIEM export, support bundles strip tokens and secrets.

Your path

Six steps from quote to auditor-ready evidence.

  1. Add Compliance package

    +$35k/yr license add-on on Business or Enterprise quote

  2. Receive evidence kit

    Walk through shared responsibility matrix with your TAM

  3. Deploy hardened

    Apply templates and security-hardening checklist in target environment

  4. Wire exports

    Audit chain and telemetry into your SIEM for the observation window

  5. Engage auditor

    Kit mapping plus your cloud-provider SOC reports

  6. Optional pen-test

    Coordinated test environment — Enterprise + Compliance package

Pen-test coordination

Guided testing against a dedicated environment.

Enterprise license holders with the Compliance package can arrange scoped penetration testing. Findings route through security@tomatortc.com with remediation SLA alignment.

  • Scope Dedicated test environment — not production traffic. Methodology aligned to your threat model.
  • Deliverable Findings report suitable for pre-audit hardening — supplements, not replaces, your auditor procedures.
  • Retest Retest window negotiated per engagement after remediation.

Pricing

Compliance is an add-on — not included in base license tiers.

Compliance package

+$35k/yr — SOC 2 evidence kit, hardened deployment templates, pen-test coordination.

TCO note

Default TCO scenarios exclude compliance. Add this line item when procurement requires structured audit evidence.

Full add-on list

Regions, CCU burst, AI workers, premium support, migration SOW — see pricing deck.

Base license

Starter $28k/yr · Business $84k/yr · Enterprise $220k+/yr — compliance stacks on top.

Review controls. Request the kit. Scope your quote.

  1. Review threat model

    Security & compliance deck — covers controls, hardening checklist, and evidence categories.

  2. Request kit TOC

    sales@tomatortc.com — Compliance package sample deliverables

  3. Scope quote

    License tier + Compliance add-on + self-managed or managed path